My first step is but I was helped by it. I had a good old fashion pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me) And I did what I should have done before I started my site. And here is where I would like you to start as well. Learn how to protect yourself until you get hacked. The thing about rename your login url to secure your wordpress website and why so many of us recommend because it is really easy to learn, it is. That can be a detriment to the health of our sites. We need to learn how to add a security fence.
Safeguard your login credentials - Do not keep your login credentials where they might be found by a hacker. Store them offsite, as well as offline. Roboform is very good for protecting them. Food for learn this here now thought!
Keep control of your assets that are online - Nothing is worse than having your livelihood in the hands of someone else. Why take chances with something as important as reference your site?
Black and whitelists pathological-looking phrases based on which area they appear inside. (unknown/numeric parameters vs. known post bodies, comment bodies, etc.).
These are three very simple things you can do to keep WordPress secure without plugins. Set a blank Index.html file in your folders, run your web host security scan and backup your entire account.